Guest isolation in AP mode in latest M4 FW not really isolating

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Guest isolation in AP mode in latest M4 FW not really isolating

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Guest isolation in AP mode in latest M4 FW not really isolating
Guest isolation in AP mode in latest M4 FW not really isolating
2020-08-15 08:27:27
Model: Deco M4  
Hardware Version: V2
Firmware Version: latest available

Hi

 

I'm running latest FW for my Deco M4 and latest version of Deco application. I see there is now "Isolation" switch in the guest network configuration, available when running Deco in AP mode. So far so good.

 

When enabled to isolate and connected to Guest WiFi, indeed I can't ping to any hosts in SAME SUBNET (e.g. 192.168.1.X). I can access internet. So far so good.

 

But, I have still some other local subnets in my home network, like 192.168.2.X, 192.168.3.X etc. And unfortunately, I can still access all the devices in those other local subnets, same as I can access to internet. But this is again wrong, isolation should only allow internet access. Full stop. This is an issue, of course impacting only those with multiple local subnets but still this is a real issue.

 

When are you planning to fix it?

 

BR Pawel

  0      
  0      
#1
Options
2 Reply
Re:Guest isolation in AP mode in latest M4 FW not really isolating
2020-08-20 06:06:26

@PawelG 

 

Hello, thanks for reporting this to the community.

 

Please help confirm the below and we need to confirm this issue:

1. When those devices connected to the guest network and get the 192.168.1.x IP, what is the subnet?

2. May we know your detailed network topology? Is there a switch in the network? How many Deco M4s do you have and how are they connected in the network? What is the IP subnet on the network gateway device?

 

Thanks.

  1  
  1  
#2
Options
Re:Guest isolation in AP mode in latest M4 FW not really isolating
2020-08-20 07:28:01

@TP-Link_Deco 

 

Hi,

 

thanks for the interest. Here the details:

 

I have these 6 subnets in use:

192.168.1.0/24 (VLAN1)

192.168.2.0/24 (VLAN2)

192.168.3.0/24 (VLAN3)

192.168.4.0/24 (VLAN4)

192.168.5.0/24 (VLAN5)

192.168.6.0/24 (VLAN6)

 

They are implemented as VLANs and all connected to a VLAN-aware switch (TL-SG116E). From switch via trunk port, they are going to a router (Ubiquiti ER-4) which performs the actual routing (router-on-a-stick scenario).

 

I have 2x Deco M4, configured in Access Point mode, both connected via ethernet cables to the switch ports belonging to VLAN1. Naturally with this setup, all the wireless clients served by Deco are automatically put to same VLAN1.

 

From my check, when Guest WLAN device gets IP from VLAN1, it can't ping any other devices in VLAN1 except the gateway (192.168.1.1), which is as it should be. But it can easily ping and access all the other devices belonging to any of VALN2-VLAN6.

 

Idea of Guest WLAN should be that devices connected to it can ONLY access to internet, not any local resources. But maybe I'm wrong in my thinking that it can be properly blocked at the access point level and should be more on the router and it's firewall?

 

 

BR

Pawel 

  1  
  1  
#3
Options